Dear,
After a package update from ipa-server-4.9.2-4.module+el8.4.0+589+9650b94f.x86_64 to ipa-server-4.9.2-4.module+el8.4.0+664+1636a961.x86_64
I am unable to restart ipa server services indeed the command /usr/sbin/ipa-server-upgrade fail as it is not able to reach 'https://ipa.somewhere.com:8443/ca/rest/account/login' . Indeed the dns service is on the same server and is started by ipa services.
below a piece of log
Thanks for your help
Best regards
-------- IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://ipa.somewhere.com:8443/ca/rest/account/login': [Errno 113] No route to host The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Stopping ipa-dnskeysyncd Service Stopping ipa-otpd Service Stopping pki-tomcatd Service Stopping ipa-custodia Service Stopping httpd Service Stopping named Service Stopping kadmin Service Stopping krb5kdc Service Stopping Directory Service ----
to complete information
the named-pkcs11 service is started so it is not a problem to resolv host Here I see that the rest api is down to my understanding
----
# systemctl status named-pkcs11 ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2021-11-04 10:11:36 CET; 1min 55s ago Main PID: 8585 (named-pkcs11) Tasks: 7 (limit: 23441) Memory: 59.6M CGroup: /system.slice/named-pkcs11.service └─8585 /usr/sbin/named-pkcs11 -u named -c /etc/named.conf
nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 74.125.47.11#63950 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 74.125.181.4#45716 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 172.253.248.34#61146 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 172.217.41.200#37484 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 74.125.73.84#43464 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80ebf40 172.253.215.71#43628 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 74.125.47.12#50980 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 74.125.47.149#38369 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:31 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 74.125.181.1#38708 (_ldap._tcp.somewhere.com): query (cache) '_ldap._tcp.somewhere.com/SRV/IN' denied nov. 04 10:13:31 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80ebf40 172.217.41.200#62570 (_ldap._tcp.somewhere.com): query (cache) '_ldap._tcp.somewhere.com/SRV/IN' denied [root@ipa ~]# dig ipa.somewhere.com
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> ipa.somewhere.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22587 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: ec506fda56122893ea1f0c686183a448049b2db129924d5d (good) ;; QUESTION SECTION: ;ipa.somewhere.com. IN A
;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: jeu. nov. 04 10:13:44 CET 2021 ;; MSG SIZE rcvd: 80
On to, 04 marras 2021, MERCIER Jonathan via FreeIPA-users wrote:
to complete information
the named-pkcs11 service is started so it is not a problem to resolv host Here I see that the rest api is down to my understanding
Most likely you need to downgrade a JDK build. It is a known issue that is fixed in RHEL 8.5 in jss and pki. Not sure if that was backported to CentOS 8 Stream.
# systemctl status named-pkcs11 ● named-pkcs11.service - Berkeley Internet Name Domain (DNS) with native PKCS#11 Loaded: loaded (/usr/lib/systemd/system/named-pkcs11.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2021-11-04 10:11:36 CET; 1min 55s ago Main PID: 8585 (named-pkcs11) Tasks: 7 (limit: 23441) Memory: 59.6M CGroup: /system.slice/named-pkcs11.service └─8585 /usr/sbin/named-pkcs11 -u named -c /etc/named.conf
nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 74.125.47.11#63950 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 74.125.181.4#45716 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 172.253.248.34#61146 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 172.217.41.200#37484 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 74.125.73.84#43464 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80ebf40 172.253.215.71#43628 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 74.125.47.12#50980 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:29 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 74.125.47.149#38369 (ipa.somewhere.com): query (cache) 'ipa.somewhere.com/A/IN' denied nov. 04 10:13:31 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80dd4e0 74.125.181.1#38708 (_ldap._tcp.somewhere.com): query (cache) '_ldap._tcp.somewhere.com/SRV/IN' denied nov. 04 10:13:31 ipa.somewhere.com named-pkcs11[8585]: client @0x7f3ae80ebf40 172.217.41.200#62570 (_ldap._tcp.somewhere.com): query (cache) '_ldap._tcp.somewhere.com/SRV/IN' denied [root@ipa ~]# dig ipa.somewhere.com
; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> ipa.somewhere.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22587 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: ec506fda56122893ea1f0c686183a448049b2db129924d5d (good) ;; QUESTION SECTION: ;ipa.somewhere.com. IN A
;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: jeu. nov. 04 10:13:44 CET 2021 ;; MSG SIZE rcvd: 80 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Thanks a lot Alexander for your quick answer and as always thanks for to your team for all works done one freeipa.
I am using a rockylinux 8 which should be close to a centos/rhel
In order to provide more information I put below more log data. So currently I downdgrade those ipa packages to the previous version and that works and the rest endpoint is working.
-------------------------- 2021-11-05T05:19:24Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2021-11-05T05:19:24Z DEBUG request GET https://ipa.somewhere.com:8443/ca/rest/account/login 2021-11-05T05:19:24Z DEBUG request body '' 2021-11-05T05:19:24Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 262, in _httplib_request conn.request(method, path, body=request_body, headers=headers) File "/usr/lib64/python3.6/http/client.py", line 1269, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1315, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1264, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1040, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 978, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1429, in connect super().connect() File "/usr/lib64/python3.6/http/client.py", line 950, in connect (self.host,self.port), self.timeout, self.source_address) File "/usr/lib64/python3.6/socket.py", line 724, in create_connection raise err File "/usr/lib64/python3.6/socket.py", line 713, in create_connection sock.connect(sa) OSError: [Errno 113] No route to host 2021-11-05T05:19:24Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2021-11-05T05:19:24Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1961, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1827, in upgrade_configuration cainstance.repair_profile_caIPAserviceCert() File "/usr/lib/python3.6/site-packages/ipaserver/install/cainstance.py", line 1981, in repair_profile_caIPAserviceCert with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1199, in __enter__ method='GET' File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 209, in https_request method=method, headers=headers) File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line 271, in _httplib_request raise NetworkError(uri=uri, error=str(e))
2021-11-05T05:19:24Z DEBUG The ipa-server-upgrade command failed, exception: NetworkError: cannot connect to 'https://ipa.somewhere.com:8443/ca/rest/account/login': [Errno 113] No route to host 2021-11-05T05:19:24Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://ipa.somewhere.com:8443/ca/rest/account/login': [Errno 113] No route to host 2021-11-05T05:19:24Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
I can't tell if this is a clean install or a migration from CentOS to Rocky. I'll assume it's a new installation (I've not had this happen on new installs). Could you show ipactl status after upgrading the new packages? Could you also show systemctl status for each service?
Thanks Louis for your help. I try 2 times on 2 different days to update packages without success (see log from previous post). So in order to be able to get security updates I put until now all ipa packages into the exlude list inside dnf.conf file. I order to provides another try today add to add requested services status, I removed ipa packages from the exclude list and that seems to works !
Really strange I did not know if in the meantime I got any update that would help ipa to works today ... really strange I know I done a server reboot as I got a kernel update ...
I would like to send to the freeipa team and helper a thousand of thanks for yours help
I whish you a awesome day ;-)
Best rergards
------------------------------- # LANG=C dnf info ipa-server Last metadata expiration check: 1:36:05 ago on Sun Nov 7 13:13:39 2021. Installed Packages Name : ipa-server Version : 4.9.2 Release : 4.module+el8.4.0+664+1636a961 Architecture : x86_64 Size : 1.0 M Source : ipa-4.9.2-4.module+el8.4.0+664+1636a961.src.rpm Repository : @System From repo : appstream Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (users, : hosts, services), Authentication (SSO, 2FA), and Authorization : (host access control, SELinux user roles, services). The solution provides : features for further integration with Linux based clients (SUDO, automount) : and integration with Active Directory based infrastructures (Trusts). : If you are installing an IPA server, you need to install this package.
[root@ipa ~]# LANG=C ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
You may be hitting was Alexander is pointing out with jss/pki. I think he was suggesting to have everything updated but have an older JDK build installed instead (eg downgrade it). I just don't know what version may work or if it's just a matter of going down just one version. I just don't have an IPA domain that ran into this problem. Perhaps you could try java-1.8.0-openjdk-1.8.0.302.b08-0.el8_4.x86_64 and see if you still run into the same issue.
freeipa-users@lists.fedorahosted.org